Re: [sacm] [Rats] CoSWID and EAT and CWT
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 27 November 2019 17:18 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04321120A4F; Wed, 27 Nov 2019 09:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9qxI9aol5hh; Wed, 27 Nov 2019 09:18:52 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BDAA120979; Wed, 27 Nov 2019 09:18:51 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xARHIlW0018081 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 27 Nov 2019 18:18:48 +0100
Received: from [192.168.178.8] (134.102.43.219) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 27 Nov 2019 18:18:42 +0100
To: Thomas Fossati <Thomas.Fossati@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de> <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <fba872b3-e326-ea54-8253-fccaa74a06fc@sit.fraunhofer.de>
Date: Wed, 27 Nov 2019 18:18:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [134.102.43.219]
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/0p7rpR54KKN39t9tLn1sAwlYO4Y>
Subject: Re: [sacm] [Rats] CoSWID and EAT and CWT
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:18:55 -0000
Hello Thomas, we have a coswid extension in the queue that allows for the inclusion of hash-entries to very kind of resource-collection type (and also 12-14 additional indexes, I think, that allow for the creation of Reference Integrity Manifests, including hashes for running processes). But this will not be submitted this year anymore, I am afraid. Very early next year! You were not looking at the wrong place, it simply is not there yet, because the inclusion of hash-entries is done via "any attributes" in ISO XML SWIDs and NISTIR 8060 is focusing on files (not filesystem-items, which would include directories). But we are very aware of that and will remediate that very soon (aka the CDDL is already written and passed multi-peer internal review). It will be less of a "magic firmware recipe", though. If there is interest, we can increase the detail about how to reference and locate SUIT manifest content (the CDDL unpack operator can help with that, therefore retaining the semantic relationship with the SUIT manifest however you want to use it). Viele Grüße, Henk On 27.11.19 17:59, Thomas Fossati wrote: > Hi Henk > > Thanks very much for your input. > > On 27/11/2019, 13:24, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de> wrote: >> yes there are ways to deal with firmware in SWID, namely the resource >> type (index 19) in the set of SWID resource-collection [1] in >> combination with the rel type (index 40) entries. >> >> This way, you would not have to use filesystem-items, but this way is >> also a bit clunky and would require an informational guidance document >> describing how to use *SWID for that. > > That's interesting because initially I also tried to use the resource > type -- which looked like the less wrong among all the available types > in the resource collection. However it wasn't clear to me how to > associate a checksum to the component, hence I went for the > filesystem-item. Maybe I was just looking in the wrong place or maybe, > as you say, there's a magic firmware recipe that's worth documenting > here. > >> There are some quite smart ways to do that actually with >> filesystem-items, but I think it is more feasible to use a SUIT >> manifest here to describe everything relevant to the "firmware thingy" >> and then put a CoSWID into the SUIT manifest's outer wrapper [2] that >> then represents the rest of the semantics that is not covered by the >> manifest but by CoSWID. This method is fine, as the COSE envelope >> around the EAT will make tempering with the outer wrapper of the SUIT >> Manifest evident. >> >> I think that is a more elegant way to do it, actually, and the reason >> why issue #46 in the EAT repo proposes to define a Claim to include a >> SUIT Manifest in an EAT, too. > > I'll look into this, thanks for the pointer. > > Stepping back for a second and looking from the perspective of my > immediate requirement (i.e., "Is it possible to translate PSA's software > component claim using purely EAT constructs?"), ideally I'd like to have > something that is expressive enough to encode my semantics (i.e.: SW > component name, version, signer and measurement) without being overly > complex. Your examples look very close to the CoSWID as RIM, maybe the gaps to fill here in order to represent "filesystem-less" firmware is in fact relatively small. We will submit the CoSWID RIM part in a few weeks and will get some feedback on that (e.g. hash-entries for resources). > > So my knee-jerk reaction is if that implies pulling a dependency on > SUIT maybe it's a bit too much? But I confess haven't yet looked at > the details of your proposal nor I can claim enough SUIT-foo to really > grok the complexity involved. As said, I'll have a look shortly. The SUIT manifest can look very complex (CDDL-wise), but please keep in mind that most members (content items) are optional, so an actual instance of SUIT manifest can be quite... concise :) While I see the point in doing it "all in one thing" the SUIT manifest is an excellent representation for what is needed in updating small and big or cloudy things and redundant semantics in data formats often create corresponding friction in semantic interoperability later on (iotdir hat on opinion). So my first reaction is to combine the functionality of both and not to recreate the functionality redundantly on each side. > > cheers! > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. Viele Grüße, Henk
- [sacm] CoSWID and EAT and CWT Laurence Lundblade
- Re: [sacm] [Rats] CoSWID and EAT and CWT Ira McDonald
- Re: [sacm] [Rats] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Rats] CoSWID and EAT and CWT Waltermire, David A. (Fed)
- Re: [sacm] [Rats] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Rats] CoSWID and EAT and CWT Waltermire, David A. (Fed)
- Re: [sacm] [Rats] CoSWID and EAT and CWT Smith, Ned
- Re: [sacm] [Rats] CoSWID and EAT and CWT Hannes Tschofenig
- Re: [sacm] [Rats] CoSWID and EAT and CWT Laurence Lundblade
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Rats] CoSWID and EAT and CWT Smith, Ned
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Thomas Fossati
- Re: [sacm] [Rats] CoSWID and EAT and CWT Laurence Lundblade
- Re: [sacm] [Rats] CoSWID and EAT and CWT Thomas Fossati
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Rats] CoSWID and EAT and CWT Thomas Fossati
- Re: [sacm] [Rats] CoSWID and EAT and CWT Adrian Shaw
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Rats] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Rats] CoSWID and EAT and CWT Thomas Fossati
- Re: [sacm] [Rats] CoSWID and EAT and CWT Laurence Lundblade
- Re: [sacm] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Brendan Moran
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Michael Richardson
- Re: [sacm] [Rats] [Suit] CoSWID and EAT and CWT Kathleen Moriarty
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Smith, Ned
- Re: [sacm] [Rats] [Suit] CoSWID and EAT and CWT Laurence Lundblade
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Michael Richardson
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Henk Birkholz
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Smith, Ned
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Michael Richardson
- Re: [sacm] [Suit] [Rats] CoSWID and EAT and CWT Smith, Ned